MidnightBSD

Advisories for vtiger

CVE-2005-3818 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3819 HIGH

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3820 MEDIUM

Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3821 MEDIUM

Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3822 HIGH

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3823 HIGH

The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2005-3824 MEDIUM

The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2008-3101 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm 5.0.4
CVE-2010-3909 MEDIUM

Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 3
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 4.0.1
CVE-2010-3910 MEDIUM

Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 3
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 4.0.1
CVE-2010-3911 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 3
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 4.0.1
CVE-2011-4559 HIGH

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 5.2.0
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 4.0.1
CVE-2011-4670 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) viewname parameter in a CalendarAjax action, (2) activity_mode parameter in a DetailView action, (3) contact_id and (4) parent_id parameters in an EditView action, (5) day, (6) month, (7) subtab, (8) view, and (9) viewOption parameters in the index action, and (10) start parameter in the ListView action to the Calendar module; (11) return_action and (12) return_module parameters in the EditView action, and (13) query parameter in an index action to the Campaigns module; (14) return_url and (15) workflow_id parameters in an editworkflow action to the com_vtiger_workflow module; (16) display_view parameter in an index action to the Dashboard module; (17) closingdate_end, (18) closingdate_start, (19) date_closed, (20) owner, (21) leadsource, (22) sales_stage, and (23) type parameters in a ListView action to the Potentials module; (24) folderid parameter in a SaveandRun action to the Reports module; (25) returnaction and (26) groupId parameters in a createnewgroup action, (27) mode and (28) parent parameters in a createrole action, (29) src_module in a ModuleManager action, (30) mode and (31) profile_id parameters in a profilePrivileges action, and (32) roleid parameter in a RoleDetailView to the Settings module; and (33) action parameter to the Home module and (34) module parameter to phprint.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2011-4679 MEDIUM

vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2011-4680 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 3
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 5.2.1
vtiger vtiger_crm 4.0.1
CVE-2013-3212 MEDIUM

vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2013-3213 HIGH

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.3.0
vtiger vtiger_crm 5.0.1
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 5.4.0
vtiger vtiger_crm 5.2.0
vtiger vtiger_crm 5.2.1
CVE-2013-3214 HIGH

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-74,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2013-3215 HIGH

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2013-3591 MEDIUM

vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
vtiger vtiger_crm 5.3.0
vtiger vtiger_crm 5.4.0
CVE-2013-5091 MEDIUM

SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 5.2.0
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.3.0
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm *
vtiger vtiger_crm 5.2.1
vtiger vtiger_crm 4.0.1
CVE-2013-7326 MEDIUM

Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm 5.4.0
CVE-2014-1222 MEDIUM

Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that this issue is actually in the KCFinder third-party component, and it affects additional products besides Vtiger CRM.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2014-2268 MEDIUM

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
vtiger vtiger_crm 3.0
vtiger vtiger_crm 2.0
vtiger vtiger_crm 4.2.4
vtiger vtiger_crm 5.1.0
vtiger vtiger_crm 5.0.1
vtiger vtiger_crm 5.0.2
vtiger vtiger_crm 5.0.3
vtiger vtiger_crm 6.0.0
vtiger vtiger_crm 5.4.0
vtiger vtiger_crm 5.2.0
vtiger vtiger_crm 3.2
vtiger vtiger_crm 1.0
vtiger vtiger_crm 2.1
vtiger vtiger_crm 4.2
vtiger vtiger_crm 4
vtiger vtiger_crm 5.3.0
vtiger vtiger_crm 5.0.4
vtiger vtiger_crm 5.0.0
vtiger vtiger_crm 4.0
vtiger vtiger_crm 2.0.1
vtiger vtiger_crm 5.2.1
vtiger vtiger_crm 4.0.1
CVE-2014-2269 MEDIUM

modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPassword parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
vtiger vtiger_crm 6.0.0
CVE-2015-6000 MEDIUM

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2016-10754 MEDIUM

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm 6.5.0
CVE-2016-1713 HIGH

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
vtiger vtiger_crm 6.4.0
CVE-2016-4834 MEDIUM

modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2018-8047 MEDIUM

vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2019-11057 MEDIUM

SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
vtiger vtiger_crm 7.1.0
CVE-2019-19202 MEDIUM

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2019-5009 MEDIUM

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
vtiger vtiger_crm 7.1.0
CVE-2020-19362 MEDIUM

Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.2.0
CVE-2020-19363 MEDIUM

Vtiger CRM v7.2.0 allows an attacker to display hidden files, list directories by using /libraries and /layout directories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.2.0
CVE-2020-22807 HIGH

An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.2.0
CVE-2022-38335

Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2023-38891

SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.5.0
CVE-2023-46304

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.5.0
CVE-2024-42994

VTiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL Injection in the "CompanyDetails" operation of the "MailManager" module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2024-42995

VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H 2.8 5.5

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2024-44776

An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.

Products Affected

Vendor Product Version
vtiger vtiger_crm 7.4.0
CVE-2024-48119

Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.

Products Affected

Vendor Product Version
vtiger vtiger_crm 8.2.0
CVE-2025-1618 MEDIUM

A vulnerability has been found in vTiger CRM 6.4.0/6.5.0 and classified as problematic. This vulnerability affects unknown code of the file /modules/Mobile/index.php. The manipulation of the argument _operation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-94,CWE-79,

Products Affected

Vendor Product Version
vtiger vtiger_crm *
CVE-2025-45753

A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
vtiger vtiger_crm 8.3.0
CVE-2025-45755

A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
vtiger vtiger_crm 8.3.0